Security check

Dockerfile security: an insecure image is an insecure service

A container is only as secure as its image. We check your Dockerfiles for root execution, baked-in secrets, unpinned bases and other common gaps.

Run a free domain scan All checks β†’
Relates to: NIS2 Β· art. 21 ISO 27001 Β· A.8.9 / A.8.28 CIS Β· Controls v8

What we check

We review your Dockerfiles: does the container run as root, are pinned base images used (not :latest), are secrets baked into layers, and is the attack surface minimised with multi-stage builds and small bases?

Why it matters

A root container that's compromised is a bigger breach than a non-privileged one. Baked-in secrets in image layers are leaks that follow every pull. Container hardening is a core control in the CIS Controls and increasingly required.

How Security Guru tests it

Common mistakes

  • No USER β†’ the container runs as root
  • FROM ...:latest β†’ unreproducible, drifting bases
  • Secrets in ARG/ENV baked into layers
  • Full OS base when a slim/distroless would suffice

What you get in the report

  • Gaps per Dockerfile with line references
  • Root execution and baked-in secrets prioritised
  • Concrete Dockerfile changes per finding
  • Mapping to CIS Controls v8 / ISO A.8.9

FAQ

Do you scan the image too?

The Dockerfile check reads your Dockerfiles. We can also scan built images for vulnerable packages as a separate step.

Is root always wrong?

Almost always unnecessary. A dedicated non-privileged user dramatically reduces the damage of a breach.

Does it run in our CI?

Yes β€” the check can run as a gate in your pipeline via pre-run.

Want to know your status?

Run a free scan or order a full Security Assessment β€” prioritised, not noise.

Run a free domain scan